SMTP server configuration: Difference between revisions
No edit summary |
No edit summary |
||
Line 7: | Line 7: | ||
For clues, I can look at the configuration of toot.cat -- I'm pretty sure we configured it with all three. | For clues, I can look at the configuration of toot.cat -- I'm pretty sure we configured it with all three. | ||
==SPF (Sender Policy Framework)== | ==Protocols== | ||
===SPF (Sender Policy Framework)=== | |||
SPF is relatively simple, I think? Last I remember, there's a web tool to help build the necessary TXT records... but I think those domains may already be configured. Will check that. | SPF is relatively simple, I think? Last I remember, there's a web tool to help build the necessary TXT records... but I think those domains may already be configured. Will check that. | ||
==DKIM (DomainKeys Identified Mail)== | ===DKIM (DomainKeys Identified Mail)=== | ||
This has two parts: | This has two parts: | ||
* public key in domain's DNS record | * public key in domain's DNS record | ||
* public key attached to email somehow (shouldn't that be "email signed by private key"? | * public key attached to email somehow (shouldn't that be "email signed by private key"? | ||
==DMARC (Domain-based Message Authentication, Reporting and Conformance)== | ===DMARC (Domain-based Message Authentication, Reporting and Conformance)=== | ||
This also requires a DNS entry which contains machine-readable instructions for any message recipient to automatically authenticate an incoming message. The server receiving any message can check the "from" domain's DNS for a DMARC record. If one is found, the message will be accepted only if it passes the test. Some large email services (such as GMail) will tend to reject messages whose "from" domain does not have a DMARC record. | This also requires a DNS entry which contains machine-readable instructions for any message recipient to automatically authenticate an incoming message. The server receiving any message can check the "from" domain's DNS for a DMARC record. If one is found, the message will be accepted only if it passes the test. Some large email services (such as GMail) will tend to reject messages whose "from" domain does not have a DMARC record. | ||
==Domains== | |||
Relevant DNS entries for relevant domains include: | |||
===hypertwins.org=== | |||
{| | |||
|- | |||
| MX | |||
| hypetwins.org | |||
| mail.vbz.net. | |||
| 10 | |||
| 14400 | |||
|- | |||
| TXT | |||
| hypertwins.org | |||
| v=spf1 mx mx:mail.vbz.net a a:mail.vbz.net ~all | |||
|} | |||
===toot.cat=== | |||
{| | |||
|- | |||
| MX | |||
| toot.cat | |||
| toot.cat. | |||
| 10 | |||
| 14400 | |||
|- | |||
| TXT | |||
| toot_cat._domainkey.toot.cat | |||
| v=DKIM1; h=sha256; k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAunilnmjRTyC8TOdUEFLZuFTLvav31UKfeMU6v3hLp5VoFVRJHpT4ikc2l4euh8bHgMHO4q8EZpBh4YvWnTDaUYYW804b7r6exacVvK0zA3FQKQR3naPBESJ1k3Fa8ccc4nGCfGozreGeKTtzP14FFkcvClLLLoCSqjNvnM4+PLQXQyR+NTKuiwcKW5PzVKakmoqmBjDDp1mQLGqDmwJ6GhQkUYqzmJ4bhcSZso7zTBGPiRfMD+tW8HPhbXS1/MQluzqMfzrsprT+z8x/aRm7S2NAYee7dhWk6wqc/BS5Yzr9CUB4iHN2GozmKyPhDtlvpDb7fFZYGWzaeMj2btU4yQIDAQAB | |||
| 1800 | |||
|- | |||
| TXT | |||
| _dmarc.toot.cat | |||
| v=DMARC1; p=reject; rua=mailto:tootmaster2021@wooz.dev | |||
|- | |||
| TXT | |||
| toot.cat | |||
| v=spf1 mx ip4:143.244.160.92 ip6:2604:a880:400:d0::2354:2001 -all | |||
| 1800 | |||
|} |
Revision as of 15:49, 12 August 2022
This page is, for now, notes towards trying to configure our outgoing email servers so that at least GMail won't bounce notifications from apps like phpBB. The primary return-address domains I want to configure are:
- hypertwins.org
- woozalia.com
- wooz.dev
There seem to be several necessary anti-spam protocols: SPF, DKIM, and DMARC.
For clues, I can look at the configuration of toot.cat -- I'm pretty sure we configured it with all three.
Protocols
SPF (Sender Policy Framework)
SPF is relatively simple, I think? Last I remember, there's a web tool to help build the necessary TXT records... but I think those domains may already be configured. Will check that.
DKIM (DomainKeys Identified Mail)
This has two parts:
- public key in domain's DNS record
- public key attached to email somehow (shouldn't that be "email signed by private key"?
DMARC (Domain-based Message Authentication, Reporting and Conformance)
This also requires a DNS entry which contains machine-readable instructions for any message recipient to automatically authenticate an incoming message. The server receiving any message can check the "from" domain's DNS for a DMARC record. If one is found, the message will be accepted only if it passes the test. Some large email services (such as GMail) will tend to reject messages whose "from" domain does not have a DMARC record.
Domains
Relevant DNS entries for relevant domains include:
hypertwins.org
MX | hypetwins.org | mail.vbz.net. | 10 | 14400 |
TXT | hypertwins.org | v=spf1 mx mx:mail.vbz.net a a:mail.vbz.net ~all |
toot.cat
MX | toot.cat | toot.cat. | 10 | 14400 |
TXT | toot_cat._domainkey.toot.cat | v=DKIM1; h=sha256; k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAunilnmjRTyC8TOdUEFLZuFTLvav31UKfeMU6v3hLp5VoFVRJHpT4ikc2l4euh8bHgMHO4q8EZpBh4YvWnTDaUYYW804b7r6exacVvK0zA3FQKQR3naPBESJ1k3Fa8ccc4nGCfGozreGeKTtzP14FFkcvClLLLoCSqjNvnM4+PLQXQyR+NTKuiwcKW5PzVKakmoqmBjDDp1mQLGqDmwJ6GhQkUYqzmJ4bhcSZso7zTBGPiRfMD+tW8HPhbXS1/MQluzqMfzrsprT+z8x/aRm7S2NAYee7dhWk6wqc/BS5Yzr9CUB4iHN2GozmKyPhDtlvpDb7fFZYGWzaeMj2btU4yQIDAQAB | 1800 | |
TXT | _dmarc.toot.cat | v=DMARC1; p=reject; rua=mailto:tootmaster2021@wooz.dev | ||
TXT | toot.cat | v=spf1 mx ip4:143.244.160.92 ip6:2604:a880:400:d0::2354:2001 -all | 1800 |